DOD gives Internet balloting another try

Related Links

The Defense Department is testing a new program that delivers ballots and registration materials via the Internet to service members deployed overseas. But experts and critics have assailed the program’s implementation and lack of security. Four outside computer security experts, led by David Wagner of the University of California at Berkeley, found that the system is vulnerable to identity theft and hackers.

DOD first used the Interim Voting Assistance System (IVAS) in 2004. It has updated the system with two new features that connect overseas military employees to local elections officials in their home districts. The features rely on a secure messenger service developed by DOD’s Federal Voting Assistance Program.

The first new feature lets service members fill out voter registration cards and e-mail them to local elections officials, who then send electronic ballots via e-mail. A second new feature saves registration information on a secure DOD server, which allows an elections official to pick up that information and drop off PDF ballots. Even if service members use the new features, they still must send their completed votes by traditional mail, officials said.

The computer scientists who evaluated the IVAS system published a report in October stating that DOD has not tested IVAS in previous elections and that the department has not published an outside security evaluation. “In such a system, there is no way to provide effective oversight and no provision for outside observers,” the experts wrote.

An internal DOD report also criticized the IVAS system. In August, the department prepared an internal evaluation that faulted the system for transmitting voter information via unsecured e-mail. Such traffic “is easily monitored, blocked and subject to tampering,” according to the internal report. “The publication of e-mail addresses of voting officials subjects those offices to attack, effectively blocking votes.”

In 2004, only 108 counties participated in IVAS, and 17 voters downloaded ballots, the DOD report states. The report adds that the required identity information includes service members’ names, Social Security numbers and dates of birth — all forms of identification that identity thieves can easily steal.

David Chu, undersecretary of Defense for personnel and readiness, defended the system at a Sept. 28 Senate Armed Services Committee hearing. “There is no perfect security system, and so we believe that e-mail is reasonably secure for these purposes,” he said.

Chu testified that DOD’s role is limited to expanding access to voter procedures and educating service members about local regulations. “Voting in the United States is ultimately a local responsibility,” he said.

State officials, such as Deborah Markowitz, Vermont’s secretary of state and president of the National Association of Secretaries of State, praised the initiative but said that better communication between DOD and local officials is crucial to its future success. The updated IVAS system was completed in August and implemented by DOD’s Business Transformation Agency in only three weeks.

Markowitz said local rules will continue to hamper the program. For example, Vermont requires voters to take an oath during registration in the presence of a notary, which is impossible to do electronically, she said.

Rep. Holt blasts DOD’s e-ballot initiativeRep. Rush Holt (D-N.J.) said he believes the Defense Department is putting service members’ right to a secret vote in jeopardy with its new plan for Internet voting.

In a Nov. 2 letter to Defense Secretary Donald Rumsfeld, Holt said DOD’s Interim Voting Assistance System (IVAS) might do more harm than good because soldiers must sign a waiver of their right to a secret ballot in order to use it. Warfighters should not feel that their employer is privy to their voter information, he said.

Holt said he also believes the program exposes soldiers to vote tampering and identity theft by failing to protect sensitive information. “No bank would ask their customers to send Social Security numbers over unencrypted e-mail, yet the IVAS does exactly that,” he wrote.